diff options
author | Steffan Karger <steffan@karger.me> | 2014-07-13 11:26:32 +0200 |
---|---|---|
committer | Gert Doering <gert@greenie.muc.de> | 2014-07-13 13:41:37 +0200 |
commit | 97bd862ed5c22956cb4405eabae64cf55cabb0d3 (patch) | |
tree | 06347d8e6a5a474fae73a899b6a04d12c5854337 | |
parent | d860ee4a4c2cac03a872f07a9e629b56f3158b8b (diff) | |
download | openvpn-97bd862ed5c22956cb4405eabae64cf55cabb0d3.tar.gz openvpn-97bd862ed5c22956cb4405eabae64cf55cabb0d3.tar.xz openvpn-97bd862ed5c22956cb4405eabae64cf55cabb0d3.zip |
Define dummy SSL_OP_NO_TICKET flag if not present in OpenSSL.
This restores support for pre-0.9.8f OpenSSL versions, which do not include
stateless session resumption, and the accompanying SSL_OP_NO_TICKET flag.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <53C251E2.7050605@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8902
Signed-off-by: Gert Doering <gert@greenie.muc.de>
-rw-r--r-- | configure.ac | 19 | ||||
-rw-r--r-- | src/openvpn/ssl_openssl.h | 11 |
2 files changed, 11 insertions, 19 deletions
diff --git a/configure.ac b/configure.ac index 117eaf6..0d0ab88 100644 --- a/configure.ac +++ b/configure.ac @@ -814,25 +814,6 @@ if test "${have_openssl_crypto}" = "yes"; then LIBS="${saved_LIBS}" fi -if test "${enable_ssl}" = "yes" && test "${with_crypto_library}" = "openssl"; -then - saved_CPPFLAGS="${CPPFLAGS}" - CPPFLAGS="${CPPFLAGS} ${OPENSSL_CRYPTO_CFLAGS}" - AC_MSG_CHECKING([for SSL_OP_NO_TICKET flag in OpenSSL]) - AC_EGREP_CPP(have_ssl_op_no_ticket, [ - #include <openssl/ssl.h> - #ifdef SSL_OP_NO_TICKET - have_ssl_op_no_ticket - #endif - ], [ - AC_MSG_RESULT([yes]) - ], [ - AC_MSG_RESULT([no]) - AC_ERROR([OpenVPN 2.4+ requires SSL_OP_NO_TICKET in OpenSSL]) - ]) - CPPFLAGS="${saved_CPPFLAGS}" -fi - AC_ARG_VAR([POLARSSL_CFLAGS], [C compiler flags for polarssl]) AC_ARG_VAR([POLARSSL_LIBS], [linker flags for polarssl]) have_polarssl_ssl="yes" diff --git a/src/openvpn/ssl_openssl.h b/src/openvpn/ssl_openssl.h index fc2052c..97dc742 100644 --- a/src/openvpn/ssl_openssl.h +++ b/src/openvpn/ssl_openssl.h @@ -33,6 +33,17 @@ #include <openssl/ssl.h> /** + * SSL_OP_NO_TICKET tells OpenSSL to disable "stateless session resumption", + * as this is something we do not want nor need, but could potentially be + * used for a future attack. For compatibility reasons we keep building if the + * OpenSSL version is too old (pre-0.9.8f) to support stateless session + * resumption (and the accompanying SSL_OP_NO_TICKET flag). + */ +#ifndef SSL_OP_NO_TICKET +# define SSL_OP_NO_TICKET 0 +#endif + +/** * Structure that wraps the TLS context. Contents differ depending on the * SSL library used. */ |